5
Fundamentals of Large Projects The bigger the budget, the harder the fall The bigger the budget, the harder the fall Compound delays due to complex dependencies Compound delays due to complex dependencies Corners cut to meet deadlines Corners cut to meet deadlines Functionality Vs. Security Functionality Vs. Security Decision rarely based upon business case Decision rarely based upon business case When was the last time you signed off $xxx million? When was the last time you signed off $xxx million? Don’t believe me? Don’t believe me?

7
PPARs “It’s like a case study in how not to run a project … It’s appaling stuff.” – Enda Kenny, Fine Gael Leader “It’s like a case study in how not to run a project … It’s appaling stuff.” – Enda Kenny, Fine Gael Leader PPARs could’ve paid for: PPARs could’ve paid for: A 600 bed Hospital A 600 bed Hospital 20 St. Patrick’s Day beers for Every Man, Woman and Child in Ireland 20 St. Patrick’s Day beers for Every Man, Woman and Child in Ireland

9
HP: The Adaptive Enterprise that couldn’t adapt Total cost of Implementation failure Total cost of Implementation failure US$400 mil (revenue) US$400 mil (revenue) US$275 mil (operating profit) US$275 mil (operating profit) 3 Executives heads 3 Executives heads Did I mention this was the total for Q3 2002? Did I mention this was the total for Q3 2002?

13
Where does Security come in? At the end of a long queue At the end of a long queue By the time it reaches us, it is: By the time it reaches us, it is: Non or semi-functional Non or semi-functional Delayed Delayed Costing the business Costing the business Security’s role is to Security’s role is to SUSO (Shut Up, Sign Off) SUSO (Shut Up, Sign Off)

14
Show me the SUSO You need to sign this off You need to sign this off If you don’t If you don’t You’re blocking the business You’re blocking the business You’re costing us money You’re costing us money You’re getting in the way of the project You’re getting in the way of the project If you do If you do It’s your backside on the dotted line It’s your backside on the dotted line

15
End of Talk Oh you want more? Oh you want more?

16
This is the price, right? Come on down!

17
This is the price, right?

18
How it works Question is asked Potential answers are shown You have to guess which one of the answers was an actual response

19
Question 1

20
Why can’t we use SSH? A) It (PuTTY) isn’t vendor supported A) It (PuTTY) isn’t vendor supported B) SFTP Doesn’t support ASCII B) SFTP Doesn’t support ASCII C) We don’t have a PKI C) We don’t have a PKI D) Key Management is too difficult D) Key Management is too difficult E) The TCO for OpenSSH is too high E) The TCO for OpenSSH is too high

21
Why can’t we switch off RSH? A) It requires a server rebuild A) It requires a server rebuild B) It requires extensive testing that would cost millions B) It requires extensive testing that would cost millions C) CowboyNeal C) CowboyNeal D) We use telnet, you insensitive clod! D) We use telnet, you insensitive clod! E) We don’t know what it would break E) We don’t know what it would break

22
Why did the SI buy the tin prior to completing the design stage? A) Because the vendor rebate would be lower next year A) Because the vendor rebate would be lower next year B) Because the client will have to write off the hardware expenditure anyway B) Because the client will have to write off the hardware expenditure anyway C) Because it’s easier to justify spending on one round of big tin than two rounds of smaller tin C) Because it’s easier to justify spending on one round of big tin than two rounds of smaller tin D) If the client has already paid a fortune up front they’re less likely to pull the plug later D) If the client has already paid a fortune up front they’re less likely to pull the plug later

23
Why were all the consultants on the job South African? A) Because of S.A’s extensive investment in enterprise technology training A) Because of S.A’s extensive investment in enterprise technology training B) Because all the experienced guys are from Joburg B) Because all the experienced guys are from Joburg C) Because they’re cheaper than native employees and have a lesser understanding of local employment law C) Because they’re cheaper than native employees and have a lesser understanding of local employment law

24
Why are these not risks? A) Because it’s not live yet A) Because it’s not live yet B) Because you need an account to access the systems B) Because you need an account to access the systems C) Because you’d need to have an RSH client and a copy of finger to access the systems C) Because you’d need to have an RSH client and a copy of finger to access the systems D) Because you’d need to have an FTP client to gain access to an unshadowed /etc/passwd D) Because you’d need to have an FTP client to gain access to an unshadowed /etc/passwd E) Because there are plenty of other ways in E) Because there are plenty of other ways in F) Because you’re holding the project up so just sign off or there’ll be trouble F) Because you’re holding the project up so just sign off or there’ll be trouble

25
Well done! The good news is The good news is People got prizes People got prizes The bad news is The bad news is We’re all losers in the end We’re all losers in the end

31
Points of interest There is no standard deployment There is no standard deployment There should be Firewalls involved There should be Firewalls involved If there are, Any-Any rules may be used If there are, Any-Any rules may be used Sometimes the File Server(s) are shared between dev, test and live too Sometimes the File Server(s) are shared between dev, test and live too Sometimes the App Server(s) are shared between dev, test and live too Sometimes the App Server(s) are shared between dev, test and live too

38
Where to look /usr/sap/trans /usr/sap/trans /usr/sap/ /usr/sap/ /home/ adm /home/ adm There is no reason for these directories to be world writeable! There is no reason for these directories to be world writeable! Most should be 700, 770 or 775 Most should be 700, 770 or 775

39
From the trenches “We use RSH to copy files around the environment. RSH has a feature call.rhosts which enables us to restrict access to specific users or hosts” “We use RSH to copy files around the environment. RSH has a feature call.rhosts which enables us to restrict access to specific users or hosts”

40
Front-End Issues Busting down the door citing section 404

41
What front-end? SAP has many SAP has many SAPGUI SAPGUI WebGUI/NetWeaver/ITS/EP WebGUI/NetWeaver/ITS/EP SAPRFC SAPRFC For the sake of time we will focus on SAPGUI For the sake of time we will focus on SAPGUI These issues do apply elsewhere though These issues do apply elsewhere though

42
SAPGUI

43
SAPGUI See the box up next to the green tick? See the box up next to the green tick? Use /? to start debugging Use /? to start debugging Type in a transaction code (T-Code) to start a transaction Type in a transaction code (T-Code) to start a transaction

46
You can’t access those! I can access them (or equivalents) if restrictions are based on: I can access them (or equivalents) if restrictions are based on: Easy Access Menu Items Easy Access Menu Items Transactions only Transactions only Custom-tables (e.g a ZUSERS table of allowed users) Custom-tables (e.g a ZUSERS table of allowed users) Restrictions need to be implemented at the Authorization level Restrictions need to be implemented at the Authorization level So what else is there? So what else is there?

51
From the trenches “As discussed in the meeting on with, we’ve agreed that there is no further action required. I appreciate that you are on holiday at the moment, but we will take your expected non-response in advance as agreement upon the matter.” “As discussed in the meeting on with, we’ve agreed that there is no further action required. I appreciate that you are on holiday at the moment, but we will take your expected non-response in advance as agreement upon the matter.”

52
Database Skullduggery Here be Dragons

53
Database Stuff The Database contains all the data. The Database contains all the data. The Database is accessed by SAP users through the SAP system. The Database is accessed by SAP users through the SAP system. The SAP database is not subject to the same controls as SAP itself. The SAP database is not subject to the same controls as SAP itself. WARNING: DO NOT MODIFY THE DATABASE WITHOUT PERMISSION SIGNED IN BLOOD (not yours) WARNING: DO NOT MODIFY THE DATABASE WITHOUT PERMISSION SIGNED IN BLOOD (not yours)

63
Custom SAP Code and Access Control ABAPs and Auths 101 ABAPs and Auths 101 Authorization checks Authorization checks AUTHORITY-CHECK OBJECT AUTHORITY-CHECK OBJECT If the authority check statement isn’t there, it is assumed that you can go ahead! If the authority check statement isn’t there, it is assumed that you can go ahead!

69
Business Process Hacking When your business processes are correctly aligned all is good. When they aren’t… When they aren’t… … And it’s even worse when it’s legislation … And it’s even worse when it’s legislation

70
BPH Vs. Social Engineering From the Canadian charter of rights and freedoms: From the Canadian charter of rights and freedoms: 20. (1) Any member of the public in Canada has the right to communicate with, and to receive available services from, any head or central office of an institution of the Parliament or government of Canada in English or French, and has the same right with respect to any other office of any such institution where 20. (1) Any member of the public in Canada has the right to communicate with, and to receive available services from, any head or central office of an institution of the Parliament or government of Canada in English or French, and has the same right with respect to any other office of any such institution where a) there is a significant demand for communications with and services from that office in such language; or a) there is a significant demand for communications with and services from that office in such language; or b) due to the nature of the office, it is reasonable that communications with and services from that office be available in both English and French. b) due to the nature of the office, it is reasonable that communications with and services from that office be available in both English and French. Is this charter open to abuse? Is this charter open to abuse?

71
BPH Example User provisioning policy not correctly implemented User provisioning policy not correctly implemented Weakness: New users created but old ones not disabled Weakness: New users created but old ones not disabled Result: Accounts can be used after owners leave Result: Accounts can be used after owners leave

72
BPH Example #2 Evening meal expense claim requires signature of most senior person present Evening meal expense claim requires signature of most senior person present Then signed off by person at higher grade Then signed off by person at higher grade No requirement to list people present No requirement to list people present

73
How does this tie into SAP? SAP process integration SAP process integration If the process fits… If the process fits… If it doesn’t? If it doesn’t?

79
Why? OWASP is great for Web-based stuff OWASP is great for Web-based stuff It’s great for toy applications It’s great for toy applications It’s not great for large business systems It’s not great for large business systems Not applicable Not applicable Not relevant Not relevant Not ‘Enterprise Grade’ Not ‘Enterprise Grade’

83
Conclusions SAP is teh r0x0r SAP is teh r0x0r The people who implement it aren’t necessarily so The people who implement it aren’t necessarily so OWASP-EAS will help them… to a point OWASP-EAS will help them… to a point